Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts

    Sanitizing user submitted html

    Looking for advice and code to sanitize html submitted through a cms system.

    Permissible content:


    • html
    • javascipt


    Not Allowed:


    • php
    • are there other things that should be excluded?

    I realize allowing javascript is also risky, but have to allow it so users can include 3rd party widgets, etc.

    Thanks

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]

  • #2
    Super Moderator
    Join Date
    Feb 2009
    Location
    England
    Posts
    539
    Thanks
    8
    Thanked 63 Times in 54 Posts
    Well, if you're going to allow html and javascript, you've pretty much done yourself out of any sanitisation. The simple fact that javascript is allowed, means your site is open to anything - including cross-site hacks and viruses, unless you moderate everything.

    You don't need to strip PHP if you're just storing and echo()ing it out. Just don't include() or eval() it...

    Another point here is: stripping out php is kinda awkward, but if you wanna pursue it properly, without "hacky" str_replace(), gimmie a shout.
    lamped.co.uk :: Design, Development & Hosting
    marcgray.co.uk :: Technical blog


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •